Method for the transmission of data in a packet-oriented data network

ABSTRACT

Method for the transmission of data between at least two communication devices ( 1, 3 ), connected to each other by means of a data network ( 2 ), whereby information data for a security device ( 11 ), connected to the second communication device ( 3 ), for protection against an unauthorised access to the communication device ( 3 ), is transmitted by means of the security device ( 11 ) and audio and video data is transmitted directly by by-passing the security device ( 11 ).

CROSS REFERENCE TO RELATED APPLICATIONS

[0001] This application is the US National Stage of InternationalApplication No. PCT/DE02/03356, filed Sep. 10, 2002 and claims thebenefit thereof. The International Application claims the benefits ofGerman application No. 10147146.7 DE filed Sep. 25, 2001, both of theapplications are incorporated by reference herein in their entirety

FIELD OF INVENTION

[0002] 100021 The invention relates to a method for packet-orientedtransmission of data between at least two communication devices, inaccordance with the preamble of Patent claim 1, and to a proxy.

BACKGROUND OF INVENTION

[0003] Communication links for voice transmission have previously beenpredominantly circuit oriented. For this purpose a physical connectionis provided for signal transmission between two communication end pointsand is reserved for the entire duration of the connection. This is alsoreferred to as circuit-oriented transmission, static routing or throughswitching.

[0004] With the advent of packet-oriented data networks (packetswitching) such as the Internet for example, reduced-cost communicationcompared to circuit switching is being provided in the fixed networkarea. The particular reason for this is the efficient capacityutilization of a connection, since, by contrast with circuit switching,packet switching does not occupy the physical transmission medium forthe entire duration of the connection. The data to be transported issubdivided into individual data packets, with each data packet beinggiven an address code identifying it to the recipient of thetransmission. The individual data packets are them transmittedindependently of each other—they can even use different transmissionpaths. The principle of packet switching is defimed in variousstandards, the best known standard is described in ITU-T RecommendationX.25.

[0005] VoFR (Voice over Frame Relay) or VoIP (Voice over IP) are knownfor example as packet-oriented methods of transmission for voice. Inthese methods the data is digitized, undergoes source coding andpreferably channel coding and is divided into data packets which arethen transferred over the Internet. The data to be transmitted can becomposed of the voice and/or video data and of information data andserve for example for transmission of video conferences over theInternet.

[0006] To allow transmission of voice and/or video data and informationdata within the framework of a multimedia conference over the Internetinternational standards have been created. These standards include theH.323 standard or the SIP standard which use protocols known from theInternet, such as UDP (User Data Protocol) and RTP (Real-Time Protocol).

[0007] Increasingly security facilities to protect against unauthorizedaccess to communication devices are provided. These are devices whichprevent or render more difficult unauthorized access to data and/orprevent computer viruses being received by filtering out data containingcomputer viruses. These security devices are also frequently known asfirewalls. A firewall in such cases is set up at a point in the datanetwork at which a protected internal network, for example an Intranet,connects to the Internet. All data arriving from the Internet or goingout from the internal network pass through the firewall. This gives thefirewall the opportunity of ensuring that this data traffic is reliable,i.e. that it accords with the security policy of the relevant site. Afirewall thus corresponds to a checkpoint through which the entireincoming and outgoing data traffic must pass. The bundling of thesecurity measures from this one checkpoint is significantly moreefficient than spreading the security-Orelevant decisions andtechnologies across the organization and covering all weakpoints sectionby section.

[0008] The IP addresses needed for transmission of data will only beassigned dynamically by the relevant Internet Service Providers (ISP),which means that, before a connection is established over the Internetthe IP address must first be exchanged. A firewall arranged between thedata networks is however as a rule designed for the detection of staticIP addresses.

[0009] For each connection the port numbers of the firewall must benewly defined, which can only apply for the duration of an individualconnection. These dynamically determined port numbers give rise toproblems in processing of data by the firewall device which as a rule isset up to detect statically defined port numbers. For reasons ofsecurity, operators and administrators of current firewall systems maynot as a rule make any changes to the configuration to let such datapass through the firewall, since otherwise the risk of unauthorizedaccess to the communication devices increases. This is why for example amultimedia conference using a VoIP connection with an intermediatefirewall proves to be extremely problematical.

[0010] Conventionally existing firewalls are expanded by additionaldevices which recognize multimedia data and direct it through thefirewall. However this requires an existing firewall system to bereplaced by new one which has to be configured completely again and canalso have new security gaps.

SUMMARY OF INVENTION

[0011] The object of the invention is thus to develop a method of thegeneric type in such a way that data at a security device located in thedata network will be transmitted through this security device whileretaining an existing security configuration. A further object of theinvention is to provide a proxy for executing the method.

[0012] This object is achieved as regards the method by the features ofpatent claim 1 and as regards the device by the features of patentclaims 10 and 11.

[0013] One major feature of the invention is that the information datafor protecting against unauthorized access to the communication devicesis transmitted to the security device and the voice and/or video data istransmitted to bypass the security device. A major advantage of themethods lies in the fact that no changes have to be made to theconfiguration of the existing firewall system to let us all data passthrough the firewall. A further advantage of the method lies in the factthat the voice and/or a video data does not have to be subjected to anysecurity checking, which relieves the firewall of the load of analyzingthis data. It proves to be extremely advantageous that although amajority of the data belonging to the multimedia data bypasses thefirewall, no allowance has to be made for restrictions for protectingagainst unauthorized access to the communication device.

[0014] In a preferred embodiment the information data is selected fromthe voice and/or video data using a selection device located within afirst proxy. This means that only information data is then transmittedfrom the first proxy to the firewall and subjected to security checkingthere. One of the checks conducted here is whether this data is datawhich will enable unauthorized access to communication equipment orwhether this data might contain computer viruses. The security-checkeddata is then transmitted to an assembly device located within a secondproxy. The voice and/or video data on the other hand is transmitteddirectly from the first

[0015] proxy to the assembly device. The data is then reassembled intothe original multimedia data. To carry out this reassembly the systemrefers back to data contained in an additional field (header) of theindividual data packets. The headers contain general protocol datathrough which the original order of the data can be generated. Afterreassembly the data is transmitted to the communication device.

[0016] In a preferred embodiment the data network is set up as acommunication system in accordance with the H.323 standard fortransmission of VoIP data. The H.323 standard specifies a standard forrealtime communication and describes the transport of data over IP-basednetworks. In a further embodiment the data network is set up as amultimedia communication system in accordance with the SIP standard.

[0017] Preferably the data is distributed in accordance with a real-timeprotocol (RTP) method over a number of IP packets. Time stamps with thetime of origination and also sequence information are incorporated intothe headers of these packets. This allows the receiving device toassemble packets not only in the right order but also with the timingsynchronized. In addition RTP defines the encoding of audio, video anddata in accordance with the number of codecs. This involves coding anddecoding procedures are which defined by the ITU for analog and digitalencryption of audio, video and data in telephone networks.

[0018] In a preferred embodiment, for safeguarding of the data channelsbetween the proxies and the firewall there is access to authenticatedchannels in order to close these last “loopholes” for potential hackerattacks. Access to authenticated channels is exclusively reserved toauthorized subscribers.

[0019] Alternatively it is also possible to resort to encryption tosafeguard the information data.

[0020] To exclude possible “attacks” on the proxies using File TransferProtocol (FTP), Telnet or Ping for example, the proxies are designedwith an IP packet filter functionality. A packet filter at IP level onlylets IP data packets past which satisfy specific predefined criteria.These can include the direction, the sender address, the receiveraddress, the source port, the destination port etc.

BRIEF DESCRIPTION OF DRAWINGS

[0021] Further advantages are produced by the subclaims as well as thedescriptions of the preferred exemplary embodiments below which areexplained in more detail on the basis of the diagrams. The diagramsshow:

[0022]FIG. 1 an example of a security system in a form of embodiment ofthe invention,

[0023]FIG. 2 a example of a first proxy, and

[0024]FIG. 3 an example of a second proxy.

DETAILED DESCRIPTION OF INVENTION

[0025]FIG. 1 shows an example of a security system in a form ofembodiment of the invention. In this exemplary embodiment a subscriberwould like to set up a connection via a first communication device 1which is connected to the public data network 2, for example theInternet, to a second communication device 3 which is connected to alocal data network. In the connection multimedia data, consisting ofvoice and/or video data and associated information data, is transmittedfor example. The network infrastructure is based on an Internetprotocol, for example in accordance with the H.323 standard or an SIPstandard. The local data network 4 is connected via a security system 10consisting of a security device 11, especially a firewall, of a firstproxy 12 and a second proxy 13 to the public data network 2. The firstproxy 12, if viewed from the second communication device 3, is locatedbehind the security device 11 and the second proxy 13 in front of thesecurity device.

[0026] A multimedia data stream directed from the public data network 2to the second communication device 3 is comprehensively filtered in thefirst proxy 12 so that information data is selected from voice and/orvideo data. Subsequently only the information data is sent to thesecurity device 11.

[0027] The security checking of the information data undertaken withinthe security device 11 is hardware-based and uses a processor,especially a Digital Signal Processor (DSP). In a further exemplaryembodiment the security checking is also undertaken by an algorithmrunning on a processor. An advantage of this software-based securitychecking lies in the fact that constantly updated programs, especiallyvirus checking programs, can be stored in a database to which theprocessor has access. This means that the latest viruses can be detectedand filtered out.

[0028] The voice and/or video data are transmitted to the second proxy13, bypassing the security device 11. The security-checked informationdata is also transmitted by the security device 11 to the second proxy13 and is then merged with the voice and/or video data, so that theoriginal multimedia data stream is present at the output of the secondproxy 13, and this data stream is then transmitted over the local datanetwork 4 to the second communication device 3.

[0029] This means that the communication devices 1 and 3 continue to bein a position to establish a mutual VoIP connection without any problemsand transparently. So if the first communication device 1 wishes toestablish a connection to the second communication device 3, the firstproxy 12 recognize this from the Internet protocol (e.g. H.323 or SIP)that there is a request to establish a connection. The data required forthis is routed to the security device 11 via a port explicitly enabledfor this purpose beforehand. The second proxy 13 routes the voice and/orvideo data back with the previous IP data stream into the local datanetwork 4. In this case the second proxy 13 keeps the communication datastored so that the second proxy 13, on response to the connectionrequest from the second communication device 3 to the firstcommunication device 1 immediately detects the voice and/or video dataand can also direct it via a defined port to the security device 11 fromthe local data network 4.

[0030] The procedure would be the same if a connection were to be set upvia the second communication device 3 to the first communication device.The second proxy 13 would again recognize this connection set up and thefirst proxy 12 would take over the corresponding function for a smoothconnection set up to the first communication device 1.

[0031]FIG. 2 shows an exemplary embodiment of the first proxy 12 in aform of embodiment of the invention. The data packets originating fromthe public data network 2 will be transmitted to a receive device 15located within the first proxy 12 and transmitted on to a selectiondevice 17. This device selects the information data contained within thedata from the voice and/or video data and transmits the information datato a first send device 16 and the voice and/or video data to a secondsend device 18. The first send device 16 transfers the information datato the firewall 11, the second send device 18 transfers the voice and/orvideo data, bypassing the firewall 11, to the second proxy 13.

[0032]FIG. 3 shows an example of a second proxy 13 in a form ofembodiment of the invention. The security-checked information datareceived from the firewall 11 are received by a first receive device 19and the voice and/or video data transmitted from the first proxy 12 arereceived by a second receive device 20 and transmitted to an assemblydevice arranged within the second proxy 13. This device reassembles thevoice and/or video data and the information data into the originalmultimedia data stream. In doing so it uses the additional informationcontained in the headers of the IP packets to generate the correct orderfor the packets. The data is subsequently transmitted by a third senddevice 22 into the local data network 4 and via this device reaches thesecond communication device 3.

[0033] The execution of the invention is not restricted to the examplesand highlighted aspects mentioned above, but is also possible within theframework of the claims in a plurality of variations which lie withinthe framework of normal activity.

1-11. (canceled).
 12. A method for packet oriented transmission of dataover a data network, comprising: connecting a sending communicationdevice to a receiving communication devices over the network, thesending and receiving devices adapted to transmit speech and/or videorelated data; transmitting unauthorized access information from thesending communication device to a security device; and transmitting thespeech and/or video data to from the sending communication device to thereceiving communication device, the data transmission bypassing thesecurity device.
 13. The method in accordance with claim 12, wherein aselection device is arranged within a first proxy.
 14. The method inaccordance with claim 13, wherein a security check is made on the datatransmitted from the first proxy to the security device, thesecurity-checked data transmitted to an assembly device arranged withina second proxy, the voice and/or video data transmitted directly fromthe first proxy to the assembly device, and the voice and/or video dataand the information data reassembled within the assembly device into theoriginal data and the data transmitted to the second communicationdevice.
 15. The method in accordance with claim 12, wherein the datanetwork is a communication system in accordance with a H.323 standardfor transmission of VoIP data and the security device is a firewall. 16.The method in accordance with claim 12, wherein the data network is amultimedia communication system in accordance with a SIP standard. 17.The method in accordance with claim 12, wherein the data is constructedin accordance with an RTP standard.
 18. The method in accordance withclaim 13, wherein at least one data channel between the security deviceand the proxy is embodied as an authenticated channel for exclusive useby authorized subscribers in order to protect against unauthorizedaccess.
 19. The method in accordance with claim 13, wherein theinformation data transmitted between the security device and the proxyis transmitted encrypted for protection against unauthorized access. 20.The method in accordance with claim 13, wherein the proxy is embodiedwith a packet filter functionality to protect against unauthorizedaccess.
 21. A proxy for executing a method for packet orientedtransmission of data over a data network, comprising: a first receivedevice for receiving the data from a public data network; a selectiondevice connected to the first receive device for selecting a set ofinformation data within a set of voice and/or video data; a first senddevice for transmitting the information data to the security device; anda second send device for transmitting the voice and/or video data to theproxy.
 22. The proxy in accordance with claim 21, further comprising asecond receive device to receive the security-checked information datafrom the security device and a third receive device to receive the voiceand/or video data received from the proxy, an assembly device linked tothe second receive device and the third receive device for assemblingthe data for the original data and a third send device for transmittingthe assembled data to the communication device.